Coronavirus, COVID-19, or SARS–CoV–
A majority of attacks in recent times have been related to an ongoing campaign called COVID-19. This is the pandemic the digital world is dealing with. The recent wave of attacks under this campaign has included spam impersonating the Centers for Disease Control Prevention (CDC) and World Health Organization (WHO). While some ransomware operators have backed out from targeting health-related industries, several attacks have still been observed on the critical functioning COVID-19 testing centers in various parts of Europe. These attacks can be remediated using a patch management solution.
Attacks under the umbrella of the COVID-19 Campaign
- Apt36(also known as Transparent Tribe, ProjectM, Mythic Leopard, TEMP.Lapis), a state-sponsored threat actor has been distributing Crimson Remote Administration Tool (RAT) via malicious documents disguised as health advisories sent by Indian government officials. Attackers have stolen credentials from victim’s browsers, captured screenshots, collected information about running processes, directories and drives from the target systems.
- Several other state sponsored APTs have ben related to this campaign.
Chinese APTs: Mustang Panda and Vicious Panda
North Korean APT: Kimsuky
Russian APTs: Hades and TA542 - TrickBot Trojan was distributed in Italy using malicious Word documents. Once installed on a target, the Trojan steals confidential information and spreads laterally in the network. TrickBot eventually launches PowerShell Empire or Cobalt Strike and provides access to Ryuk ransomware operators for further infection.
- Many new malwares have been named CoronaVirus itself. CoronaVirus ransomware has been distributed along with the Kpot information-stealing Trojan through fake websites highlighting a legitimate Windows system utility named WiseCleaner. Another CoronaVirus malware locked out users on Windows Systems.
Some more attacks:
- A malware downloader named GuLoader distributed in a ZIP file attachment with emails. GuLoader in turn downloads an information-stealing Trojan named FormBook which possesses a functionality of keylogging and steals banking credentials, web site login credentials, cookies, etc.
- Raccoon information stealer distributed using open redirects under the website of the U.S. Department of Health & Human Services. These redirect victims to phishing landing pages and download the malware on targets.
- Netwalker Ransomware infections have become prevalent with the COVID-19 campaign delivered as malicious attachments with emails.
- Redline information-stealing Trojan distributed through emails urging users to download Folding@home application but delivering the malware instead. This malware can steal saved login credentials, credit cards, cookies, and autocomplete fields from browsers.
- A few cyber-attacks have hijacked and changed router’s DNS settings to display alerts for a fake COVID-19 information app from the World Health Organization and deliver the Oski information-stealing malware. These kinds of attacks used to steal money from bank accounts, perform identity theft, or launch further spear phishing attacks.
- Zeus Sphinx banking Trojan has resurfaced after three years to steal banking credentials from users under the COVID-19 spear phishing campaign.
- Another wave of attacks delivered the LokiBot Trojan using similar spear phishing lures.
A careful analysis of each of the attacks reveals that the main attack vector used in this campaign is spear phishing emails with COVID-19 themed lures.
A variety of documents including Microsoft Office files, zip files, Excel documents with embedded malicious macros, RTF documents, open redirects, PDFs, etc. distributed as attachments with spam emails with Coronavirus related information.
Vulnerabilities exploited
The distributed lure documents is to exploit CVE-2017-11882 and CVE-2017-0199, which are critical remote code execution vulnerabilities in Microsoft Office.
SanerNow lists the potential targets for malwares in an enterprise network (shown in the figures below). SanerNow also lists the attack vectors used by each of these malwares or cyberespionage groups, and facilities automated patching for these vulnerabilities on affected systems. The additional details such as the specific behavior of every malware or cyberespionage group helps organizations in effectively preventing security incidents.
Fig1. SanerNow listing of potential targets in an organization for COVID-19 Campaign
Fig2. Details about COVID-19 Campaign
General recommendations to prevent attacks during the COVID-19 Crisis
- Refrain from opening any emails and messages which you don’t known.
- Avoid clicking on links and opening documents sent on instant messaging platforms or emails. It is always advised to look for information from legitimate websites instead of following links found elsewhere.
- Keep your systems up to date with the latest security patches.
- Educate your teams and other members of the organization to use security products while working remotely. Here are a few guidelines that would prove to be useful.
- Never provide sensitive information to agents trying to reach out on calls or emails. WHO and then other governmental organizations never ask for sensitive data or direct donations for emergency response.
- Set strong and unique passwords wherever applicable rather than weak ones.
However, SanerNow detects the vulnerabilities which used as infection vectors for the COVID-19 Campaign. Moreover, download SanerNow and keep your systems updated and secure.
Pretty neat and detailed article.. keep writing more Vidita
thanks for sharing this wonderful article. We are the best at&t support, at&t support,at&t customer service phone,atandt customer service.